In the Linux kernel, the following vulnerability has been resolved:
apparmor: validate DFA start states are in bounds in unpack_pdb
Start states are read from untrusted data and used as indexes into the
DFA state tables. The aa_dfa_next() function call in unpack_pdb() will
access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds
the number of states in the DFA, this results in an out-of-bound read.
==================================================================
BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360
Read of size 4 at addr ffff88811956fb90 by task su/1097
...
Reject policies with out-of-bounds start states during unpacking
to prevent the issue.
Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-23269",
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"dateUpdated": "2026-03-18T17:54:42.988Z",
"dateReserved": "2026-01-13T15:37:45.991Z",
"datePublished": "2026-03-18T17:54:42.988Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux",
"dateUpdated": "2026-03-18T17:54:42.988Z"
},
"title": "apparmor: validate DFA start states are in bounds in unpack_pdb",
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: validate DFA start states are in bounds in unpack_pdb\n\nStart states are read from untrusted data and used as indexes into the\nDFA state tables. The aa_dfa_next() function call in unpack_pdb() will\naccess dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds\nthe number of states in the DFA, this results in an out-of-bound read.\n\n==================================================================\n BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360\n Read of size 4 at addr ffff88811956fb90 by task su/1097\n ...\n\nReject policies with out-of-bounds start states during unpacking\nto prevent the issue."
}
],
"affected": [
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "unaffected",
"versions": [
{
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"status": "affected",
"versionType": "git",
"lessThan": "15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"
},
{
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"status": "affected",
"versionType": "git",
"lessThan": "0baadb0eece2c4d939db10d3c323b4652ac79a58"
},
{
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"status": "affected",
"versionType": "git",
"lessThan": "3bb7db43e32190c973d4019037cedb7895920184"
},
{
"version": "ad5ff3db53c68c2f12936bc74ea5dfe0af943592",
"status": "affected",
"versionType": "git",
"lessThan": "9063d7e2615f4a7ab321de6b520e23d370e58816"
}
]
},
{
"vendor": "Linux",
"product": "Linux",
"programFiles": [
"security/apparmor/policy_unpack.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"defaultStatus": "affected",
"versions": [
{
"version": "3.4",
"status": "affected"
},
{
"version": "0",
"status": "unaffected",
"versionType": "semver",
"lessThan": "3.4"
},
{
"version": "6.12.77",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.12.*"
},
{
"version": "6.18.18",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.18.*"
},
{
"version": "6.19.8",
"status": "unaffected",
"versionType": "semver",
"lessThanOrEqual": "6.19.*"
},
{
"version": "7.0-rc4",
"status": "unaffected",
"versionType": "original_commit_for_fix",
"lessThanOrEqual": "*"
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/15c3eb8916e7db01cb246d04a1fe6f0fdc065b0c"
},
{
"url": "https://git.kernel.org/stable/c/0baadb0eece2c4d939db10d3c323b4652ac79a58"
},
{
"url": "https://git.kernel.org/stable/c/3bb7db43e32190c973d4019037cedb7895920184"
},
{
"url": "https://git.kernel.org/stable/c/9063d7e2615f4a7ab321de6b520e23d370e58816"
}
]
}
}
}